In the world of kinetic military operations, collateral damage is typically straightforward to assess because of well-established definitions, well-understood weapon characteristics, and reasonably well-defined legal and policy frameworks. In traditional warfare, collateral damage occurs when a hostile action causes unintended physical damage to civilian persons or objects.
Cyberattacks that cause physical damage would presumably be assessed using the same criteria. But what happens when the consequences of a cyberattack are not physical? What happens when a digital missile destroys or corrupts data in a manner that is not intended by the person launching a lawful cyberattack? Current legal and policy frameworks for assessing collateral damage do not squarely address the matter (or at least they do not do so publicly)—and that needs to change.
In the last several decades the U.S. military and its sister services have developed a well-defined methodology to assess collateral damage as they plan military operations. The methodology is a detailed five-step process that involves: (1) identifying the target; (2) determining whether protected persons or objects are within range of the target; (3) estimating the collateral damage that will occur; (4) determining whether there are other weapons that can accomplish the objective with less collateral damage; and finally (5) evaluating whether the anticipated collateral damage exceeds the military advantage. Because munitions in the American arsenal have well-defined physical properties—blast radius, impact and the like—military planners can have confidence in the accuracy of their collateral damage estimations. Mistakes are possible, of course. But the methodology is well-established and generally produces predictable results.
In a forthcoming paper, we attempt to adapt this kinetic methodology to cyber effects in order to articulate the process for estimating collateral effects from a cyber operation.
As we discuss, there are three main challenges involved in translating this existing framework to the context of cyber operations. The first—and most significant—question involves the scope of the collateral damage estimation: specifically, whether it should apply to damage to data in addition to physical consequences. The second question revolves around whether, because of potentially unknown network interdependencies, we can estimate the collateral consequences of cyberattacks with confidence. And the final significant question revolves around how any framework for cyber collateral damage can apply to law enforcement operations like botnet takedowns.
First, as to the question of scope, the present collateral damage framework developed in accordance with the law of armed conflict applies only to situations where an attack results in unintended physical harm. And of course, cyberattacks can certainly cause physical harm—Stuxnet being the clearest public example. But far more common are cyberattacks that result in the manipulation or deletion of data, which may have significant financial, political, or other consequences, whether or not there is physical damage. Think of the political fallout of the intrusion into the email and other systems controlled by the DNC, the intelligence risks created by the OPM hack, and the economic harm that befell Saudi ARAMCO after a cyberattack destroyed tens of thousands of company computers. It appears that the current framework would not properly recognize and assess even tangible consequences stemming from the loss or destruction of data (e.g. deletion of an entire customer or financial database). Failure to develop such a framework might cause operational planners to neglect important considerations in their efforts or, at the other extreme, hinder critical cyber operations altogether.
The second main challenge in creating a framework for cyber collateral damage revolves around estimating the second order effects of a proposed operation with confidence. On the one hand, digital systems are manmade and have only the properties with which we endow them. In theory, how they interact with each other should be deterministic, and therefore knowable. But networks and systems are complex, interact in a variety of ways, and may have unanticipated interdependencies that lead to collateral effects that are difficult to assess ex ante. One famous example is the Pentagon’s 2008 takedown of a forum used by extremists in Iraq, which inadvertently caused Internet outages in Saudi Arabia and Texas. Would it have been possible to anticipate those outages in advance? If so, what framework should have been used to evaluate the advantages pursued by the operation against the anticipated harm? Presumably, using such a framework would require the investment of significant intelligence resources in advance of an operation to map a network topology and learn about the kinds of interdependencies that exist; is this kind of resource-intensive assessment feasible in the case of most planned cyberattacks?
Finally, there are important questions about the application of collateral damage estimation frameworks to domestic law enforcement operations. The military, of course, is not the only governmental body in the U.S. that conducts cyber operations. Law enforcement agencies engage in different types of cyber operations, among them the use of Network Investigative Techniques (NITs) and botnet takedowns. In the latter context in particular, attention has been paid to the collateral consequences involved when law enforcement agencies and private companies shut down traffic or servers contributing to botnet activities.
But there has been no public discussion of a framework for assessing the collateral consequences of cyber operations by law enforcement agencies. Hints of the problem, however, abound. In an analogous context, a Pennsylvania court struck down a statute that required Internet Service Providers (ISPs) to block child pornography when served with a court order requiring them to do so. The ISPs maintained that no matter what technique they used, the blocking resulted in an excessive impact on uninvolved legitimate web traffic. Legitimate users of sites that were blocked when the ISPs filtered out child pornography sued and the court struck down the statute on First Amendment grounds. It is important to consider whether we can and should develop a collateral damage estimation methodology for these types of operations, one that we can deploy with levels of confidence similar to those obtained through the existing process of estimating collateral damage in the military context.
The present framework for evaluating collateral damage in the kinetic context took a long time to develop. We hope to begin a serious discussion about a similar methodology for evaluating the collateral effects of cyber operations on those who would not be lawful targets. Such a discussion is necessary as cyber operations become more common in a range of contexts.